When Senators Ask Followup Questions, You Answer Them.

Following my Senate testimony last month, several Senators reached out with additional questions and clarification requests. As I understand it this is pretty standard. Given I published my testimony here earlier, I asked if I could do the same for my written followup. The committee agreed, the questions and my answers are below.

Questions for the Record from Sen. Cortez Masto (D. Nevada)

Facebook Audits

On April 4, 2018, following the public controversy over Cambridge Analytica’s use of user data, Facebook announced several additional changes to its privacy policies. The changes include increased restrictions on apps’ ability to gather personal data from users and also a policy of restricting an app’s access to user data if that user has not used the app in the past three months. In addition, Facebook has committed to conducting a comprehensive review of all apps gathering data on Facebook, focusing particularly on apps that were permitted to collect data under previous privacy policies. Facebook will also notify any users affected by the Cambridge Analytica data leak.

Question 1: What steps can the government take to ensure that there is proper oversight of these reviews and audits?

John Battelle’s response:

I think this is a simple answer: Make sure Facebook does what it says it will do, and make sure its response is a matter not only of public record, but also public comment. This should include a full and complete accounting of how the audit was done and the findings.

Question 2: From a technical standpoint, how effective are forensic methods at ascertaining information related to what data was transferred in these cases?

John Battelle’s response:

I’m not a technologist, I’m an entrepreneur, author, analyst and commentator. I’d defer to someone who has more knowledge than myself on issues of forensic data analysis.  

Technology for Consumer Protection

Question 1: Are there any technological solutions being developed that can help address some of the issues of consumers’ privacy being violated online?

John Battelle’s response:

Yes, there are many, likely too many to mention. Instead, what I’d like to highlight is the importance of the architecture of how data flows in our society. We should be creating a framework that allows data to flow ethically, securely, and with key controls around permissioning, editing, validation, revocation, and value exchange. Blockchains hold great promise here, but are still underdeveloped (but they’re evolving rapidly).

Data Retention

Question 1: What should we, as legislators, be thinking about to verify that – when Americans are told that their data has been destroyed – that deletion can actually be confirmed?

John Battelle’s response:

Independent third party auditing services that services such as Facebook must employ seems the most straightforward response. “Trust us” is not enough, we must trust and verify.

Law Enforcement

During the hearing we had a brief discussion on the balance between privacy and sharing data with law enforcement.

Question 1: What should companies keep in mind to ensure that they can appropriately assist in law enforcement investigations?

John Battelle’s response:

This is a delicate balance, as evinced in the varied responses to these kind of cases from companies like Apple, Twitter, Yahoo, and others. Valid search warrants, not fishing expeditions, should be the rule. We’ve got the framework for this already. The issue of how governments and law enforcement deal with encryption is unresolved. However, I fall on the side of enabling strong encryption, as I believe all citizens have the right to privacy. Lose that, and we lose democracy.  

Questions 2: As lawmakers, what should we be aware of as we try to strike the right balance between privacy and safety in this area?

John Battelle’s response:

Democracy is open, messy, transparent, and has many failures. But it’s the best system yet devised (in my humble opinion) and privacy lies at its core. That means criminals will be able to abuse its benefits. That is a tradeoff we have to accept and work around. Sure, it’d be great if law enforcement had access to all the data created by its citizens. Until it’s abused, and cases of this kind of abuse by government are easy to find.

Senator Richard Blumenthal (D. Conn) Questions for the Record 

Privacy Legislation

Across hearings and questions for the record, members of Congress have raised concerns about the data collection tactics used by Facebook that are not made clear to its users. As I stated during the hearing, I am interested in putting into place rules of the road for online privacy, taking into consideration the European General Data Protection Regulation. During the hearing Mr. Battelle and others offered support for the intent of GDPR, but expressed reservations about the implementation and unintended consequences. I look forward to any further thoughts from the panelists regarding how to implement data privacy rules in the United States.

 Question for All Panelists:

Question 1. In addition to any recommendations or comments on what types of legislation or other measures could help protect consumer privacy, what lessons and principles of the California Consumer Privacy Act and the GDPR should Congress consider in privacy legislation?

 John Battelle’s response:

Implementation of sweeping legislation like those mentioned above is extremely onerous for small business. Instead of using that as an excuse to avoid legislation, the policy should incorporate remedies for smaller business (IE, enabling federation of resources and response/compliance, enabling trusted intermediaries).

The principle of empowering the consumer is embodied in both GDPR and CCPA. While well intentioned, neither envision how that empowerment will truly be effective in a modern digital marketplace. Take the principle of data portability. It’s one thing to allow consumers to download a copy of their data from a platform or service. But for that data to drive innovation, it must be easily uploaded, in a defined, well-governed, machine-readable format, so that new kinds of services can flourish. Watch how large tech platforms chip away at CCPA and attempt to subvert that ecosystem from taking root. Consider how best to ensure that ecosystem will in fact exist. I’m not a legislative analyst, but there must be an enlightened way to encourage a class of data brokers (and yes, they’re not all bad) who enable re-aggregation of consumer data, replete with permissions, revocation, validation, editing, and value exchange. Happy to talk more about this.

Questions for Mr. Battelle:

Question 2. You have written at length about the influence of Facebook and Google on the advertising and third party data market. In your experience, has Facebook driven the ad market as a sector to more invasively collect data about people? What other changes in the ad market can be attributed to the dominance of Google and Facebook?

John Battelle’s response:

Yes, without question, Facebook has driven what you describe in your initial question. But not for entirely negative reasons. Because Facebook has so much information on its users, larger advertisers feel at a disadvantage. This is also true of publishers who use Facebook for distribution (another important aspect of the platform, especially as it relates to speech and democratic discourse). Both advertisers and publishers wish to have a direct, one to one dialog with their customers, and should be able to do so on any platform. Facebook, however, has forced their business model into the middle of this dialog – you must purchase access to your followers and your readers. A natural response is for advertisers and publishers to build their own sophisticated databases of their customers and potential customers. This is to be expected, and if the data is managed ethically and transparently, should not be considered an evil.

As for other changes in the ad market that might be attributed to FB and GOOG, let’s start with the venture funding of media startups, or advertising-dependent startups of any kind. Given the duopoly’s dominance of the market, it’s become extremely hard for any entrepreneur to find financing for ideas driven by an advertising revenue stream. Venture capitalists will say “Well, that’s a great (idea, service, product), but no way am I going to fund a company that has to compete with Google or Facebook.” This naturally encourages a downward spiral in innovation.

Another major problem in ad markets is the lack of portable data and insights between Facebook and Google. If I’m an advertiser or publisher on Facebook, I’d like a safe, ethical, and practical way to know who has responded to my messaging on that platform, and to take that information across platforms, say to Google’s YouTube or Adwords. This is currently far too hard to do, if not impossible in many cases. This also challenges innovation across the business ecosystem.

Questions for the Record

Senator Margaret Wood Hassan (D. New Hampshire)

Question 1. The internet has the potential to connect people with ideas that challenge their worldview, and early on many people were hopeful that the internet would have just that effect. But too often we have seen that social media sites like Facebook serve instead as an echo chamber that polarizes people instead of bringing them together, showing them content that they are more likely to agree with rather than exposing them to new perspectives. Do you agree this is a problem? And should we be taking steps to address this echo chamber effect?

John Battelle’s response:

Yes, this filter bubble problem is well defined and I agree it’s one of the major design challenges we face not only for Facebook, but for our public discourse as well. The public square, as it were, has become the domain of private companies, and private companies do not have to follow the same rules as, say, UC Berkeley must follow in its public spaces (Chancellor Carol Christ has been quite eloquent on this topic, see her interview at the NewCo Shift Forum earlier this year).

As to steps that might be taken, this is a serious question that balances a private corporation’s right to conduct its business as it sees fit, and the rights and responsibilities of a public space/commons. I’d love to see those corporations adopt clear and consistent rules about speech, but they are floundering (see Mr. Zuckerberg’s recent comments on Holocaust deniers, for example). I’d support a multi-stakeholder commission on this issue, including policymakers, company representatives, legal scholars, and civic leaders to address the issue.

Question 2. In your testimony you discuss the value of data. You stated that you think in some ways, QUOTE, “data is equal to – or possibly even more valuable than – monetary currency.” We in Congress are seeking to figure out the value of data as well to help us understand the costs and benefits of protecting this data. Can you expand on what value you think data has, and how we should be thinking about measuring that value – both as citizens and as legislators?

John Battelle’s response:

Just as we had no idea the value of oil when it first came into the marketplace (it was used for lamps and for paving streets, and no one could have imagined the automobile industry), we still have not conceived of the markets, products, and services that could be enabled by free flowing and ethically sourced and permissioned data in our society. It’s literally too early to know, and therefore, too early to legislate in sweeping fashions that might limit or retard innovation. However, one thing I am certain of is that data – which is really a proxy for human understanding and innovation – is the most fundamentally valuable resource in the world. All money is simply data, when you think about it, and therefore a subset of data.

So how to measure its value? I think at this point it’s impossible – we must instead treat it as an infinitely valuable resource, and carefully govern its use. I’d like to add my response to another Senator’s question here, about new laws (GDPR and the California Ballot initiative) as added reference:

Implementation of sweeping legislation like those mentioned above is extremely onerous for small business. Instead of using that as an excuse to avoid legislation, the policy should incorporate remedies for smaller business (IE, enabling federation of resources and response/compliance, enabling trusted intermediaries).

The principle of empowering the consumer is embodied in both GDPR and CCPA. While well intentioned, neither envision how that empowerment will truly be effective in a modern digital marketplace. Take the principle of data portability. It’s one thing to allow consumers to download a copy of their data from a platform or service. But for that data to drive innovation, it must be easily uploaded, in a defined, well-governed, machine-readable format, so that new kinds of services can flourish. Watch how large tech platforms chip away at CCPA and attempt to subvert that ecosystem from taking root. Consider how best to ensure that ecosystem will in fact exist. I’m not a legislative analyst, but there must be an enlightened way to encourage a class of data brokers (and yes, they’re not all bad) who enable re-aggregation of consumer data, replete with permissions, revocation, validation, editing, and value exchange. Happy to talk more about this.

Question 3. Mark Zuckerberg has said that he sees Facebook more as a government than a traditional company.  Among other things, governments need to be transparent and open about the decisions they make. Many large institutions have set up independent systems — such as offices of inspectors general or ombudsmen and ethics boards — to ensure transparency and internally check bad decisions.  Facebook has none of those controls. What kinds of independent systems should companies like Facebook have to publicly examine and explain their decision-making?

John Battelle’s response:

OK, this one is simple. Facebook is NOT a government. If it is, I don’t want to be a “citizen.” I think Mr. Zuckerberg is failing to truly understand what a government truly is. If indeed Facebook wishes to become a nation state, then first it must decide what kind of nation state it wishes to be. It needs a constitution, a clear statement of rights, roles, responsibilities, and processes. None of these things exist at the moment. A terms of service does not a government make.

However, all of the ideas you mention make a ton of sense for Facebook at this juncture. I’d be supportive of them all.

Author: John Battelle

A founder of NewCo (current CEO), sovrn (Chair), Federated Media, Web 2 Summit, The Industry Standard, Wired. Author, investor, board member (Acxiom, Sovrn, NewCo), bike rider, yoga practitioner.

Leave a Reply